Information & Ethics Committee on Jan. 31st, 2017

Yes. I agree it's a huge concern, but there were very weak protections for Canadians' data that went cross-border to the U.S. in the first place. Some of the problems with that executive order actually have to do with data transmitted through the Internet that the NSA would intercept itself. It wasn't necessarily given from the Canadian government.

I think there's a much bigger question around how we work with our partners to ensure that our data and our citizens' data is protected, as well as those agreements we make up front. If we're going to enter into information sharing, what are the provisions that we need and the guarantees for our own citizens?

I would suggest it's exactly as Mr. Elder referred to. It's a matter of trusting. You're going to have to trust. If you're going to enter into these bilateral or multilateral information-sharing arrangements, you're going to have to trust.

We can also put in place general limitations on what kind of information we share. What is the nature of the information we share? Also—and this is one of the things that might sound a little bit repetitive—what's the magnitude of the information we share? If the RCMP receives a query from the Department of Homeland Security regarding an individual that they have under investigation, that's a very different thing than giving the FBI full access to the Canadian Police Information Centre, which is currently the case. They're allowed almost unsupervised access to a massive trove of data. We don't have a whole lot of insight, accountability, or oversight, or even an understanding of what is happening with that information.

If it's on a case-by-case basis so that it's much more limited or it's much more controlled, then you have a much better sense of why they're asking. What's the nature of the information? Is it particularly sensitive? Is it something that's stigmatizing? Does it relate to, for example, religion or protected expression under our charter or all these other sorts of things? Shared databases and massive troves of information seem to be the trend these days. Instead of using knowledgeable investigative insight and individuals with the proper skills, they're throwing in technology, collecting a lot of information to create a haystack as big as they can, and then using technology to go through it looking for needles.

The problem is that the haystack is information about individuals who are 99.999% innocent. Technological scanning, for example, will produce false positives, will result in individuals wrongly ending up on no-fly lists and other things, or worse, ending up being tortured in a basement somewhere. That's what we need to protect. You don't share sensitive information that could cause harm to our citizens with somebody that you don't absolutely trust in terms of what's going to happen with that information.

Unfortunately, as Mr. Elder said, no Canadian law can tie the hands of any foreign government once they have that information. It needs to be a two-way street. It needs to be a relationship built on trust, but trust that's verified. Keep an eye on their track record. Has the information gone elsewhere? Be prepared to kind of pull back on the leash if there's any sign of trouble.

Just to add to that, I certainly think our treaty arrangements and mutual sharing agreements with foreign governments can attempt to limit what those foreign states do subsequently with the information they receive from us, specifically preventing them, for example, from disclosing information they got from us to other states without our okay, or things like that.

The only remedy we would have when those arrangements aren't followed is to pull back on future sharing, or maybe there are other diplomatic channels and consequences to that relationship. Those are really the only things we can do if things go off the rails.

I certainly think that is a mechanism that might help. I think, as a country, we wouldn't want information shared indirectly with countries that we wouldn't otherwise have shared with directly.

I guess there are two thoughts on the subject, and thank you for the question, because it is something we didn't address maybe as explicitly as we should have in the position paper.

I don't think that CBA was ever considering a situation in which another department would ask for it. I would say that right from the get-go, there should be a restriction on that. If you're a department asking another institution for information that they've obtained through extraordinary powers, I don't think that should be permitted.

I think our comment was more on the other scenario, in which the institution that has those powers gets information that they believe would be relevant to another institution. Our submission was that the information should only be handed over to that other institution if it's very clearly necessary to allow that other institution to fulfill its functions that relate specifically to national security.

I think it's a very interesting question. It raises the spectre that I didn't even think of as well, which is essentially information laundering. I'm actually a little ashamed, because I'm usually pretty good at worst-case scenarios.

In an example like this you could—I don't know, but maybe this is one of those movie plot theories—imagine a scenario in which, for example, CSIS goes to the RCMP and says they would like to have all the recordings the RCMP have made of communications they intercepted with a warrant. Now, the RCMP can't make collateral use of that, likely because of the conditions in the warrant. However, as soon as CSIS has it, which they can do under SCISA, they're not subject to those restrictions; they're subject to their own kind of restrictions.

You could, in fact, by moving information from one department to another—which is completely allowed under this—change the nature of the protection of that information or lift those protections. That section 9 that I referred to would remove any civil liability for doing that, and that could be troubling.

Yes, I'm going to lose sleep over that.

I'm happy to answer that.

Part of it relates to the question of relevance: what is relevant to investigations related to activities that undermine the security of Canada? Relevance is a very low threshold. If you're going to tinker with it, I would adopt “necessary”, because that's stricter.

Another problem is going to be that there's no oversight. There's no mechanism by which you can test whether or not something is, in fact, reasonable; reasonable is in the eye of the beholder.

Then also, we're now in the 21st century, when investigative means aren't simply following up leads but are analyzing databases and taking massive amounts of information and running them against algorithms in order to try to make information surface. If you are investigating to try to find the next person who's going to commit murder in a mosque, for example, if you have the mindset that the best way to do that is to analyze massive data sets because doing that is relevant to dealing with situations that would undermine the security of Canada, you can justify that in that sort of circumstance. When your mindset is that you operate by analyzing bulk data sets, then you can very easily see and connect those dots and take something that way. It might not have been the intention, but in this day and age, that is how a lot of investigations and a lot of intelligence work are being done, so we need to have the limitations that are in it.

As I said, I'd be happy to have the whole thing thrown out and rewritten and to have these things dealt with in the Privacy Act. The four recommendations made by the Canadian Bar Association would dramatically improve it, but we need to have the proportionality in it. It's the use of bulk data that troubles me the most.

Well, I can say we haven't done a full budgeting workup of what that would look like or those costs, so I'm not in a position to tell you today that it's going to require so many employees or that there's going to be an annual budget.

What I can say is that I think for that to work, a couple of things have to happen. One, as we said in our submission, is that it's really important that the institutions involved in information sharing—both those disclosing and those receiving—have to keep records of what's going on. I think it would be desirable for there to be some kind of regular reporting function between those institutions and whatever governing body or oversight body is created. I think it makes sense that the oversight body would have powers to investigate and compel production of information, potentially audit-like powers.

That's probably all I'll offer you at the moment. I'm sorry I don't have further information.

Thank you very much for your questions.

To your first question, on whether there are too many, I think part of the issue is that we don't really know. That's because for a number of these listed institutions, it's not obvious—to me, anyway—exactly what their responsibilities and authorities that relate to national security are. For some of them it's a bit more obvious; for some of them it's not obvious at all.

That's exactly why we recommended that as part of this you not only identify the institution but you also explicitly identify the sections of their legislative mandate that would clearly relate to some authority over the protection of national security.

I guess what we're really talking about is accuracy. There are general provisions right now in the Privacy Act for all government departments that any information they're collecting, using, or disclosing should be reasonably accurate and that they should take steps to ensure that it is.

Our particular concern stems from the tragic case of Maher Arar. From information that turned out to be inaccurate and that may not have been adequately vetted before being handed off to foreign governments, we wound up with a Canadian citizen being detained and tortured, with all kinds of horrible things. That's really the worst-case scenario, and it's a great reason for being really careful with the information we're sharing, particularly when it is being shared with a foreign power.

Well, definitely, in accordance with our position, we think those records should definitely exist, because without those records it's very difficult for anybody to have any kind of oversight to check up on exactly how the law is being implemented and what information is being shared.

In terms of access, certainly they should be accessible by whatever oversight body is tasked with that oversight. As to whether they should be generally available to all parliamentarians, I think that is a more difficult question that I'm not sure I can answer now. Obviously there will be puts and takes to that. On the one hand, it will be extremely sensitive information, in many cases. You'd need to have very clear security protocols and clearances and that sort of thing.